Any IT Security professionals out there?

[Woodie]

IME...college/education is not a significant factor in hiring for Security.

Experience, and good judgement (that thing you get from bad experiences) are more significant. I'm a security pro. Been doing it for ~9 years, one of a staff of about 18, doing Info Sys Security for a large publicly held corporation.

I came out of the Operations area, doing server/domain/sysadmin type of support work. I have very intentionally avoided pretty much every operations-related role in ISS (A/V, firewalls, IDS, then IPS, log monitoring, etc..), and transferred it to a new guy when I couldn't avoid it. I *like* being able to sleep at night! I primarily work in PKI, assisting application owners in using our PKI. Other big projects have included setting up client encryption (then turned most of it over to the ops group), and architecting authentication solutions (usually PKI based, but not always).

If you want to work in the field, then:
1. Spend time as a sysadmin, netadmin, or similar role.
2. Understand networking, and the roles/features of different network devices. (Router, switch, DNS, DHCP, firewall, tap, WAP, OIS stack, etc...)
3. Plan to turn your job over to other, not as smart people. Figure out a way to implement a particular protection (a/v, data encryption, VPN, strong authentication, etc..)...then turn over all the front-line support to a 24-hour help desk. That way you'll have time to move on to other new and interesting technologies.

 

[vital]

Hi all, anything new and interesting in the IT Security world?

I have some more questions. Anyone have their CISSP? I currently have 1.5 years of related work experience (IT Auditing) and I heard ISC2 changed the number of years of required experience from 4 years to 5. I have 2 additional years of applicable work experience from having a BS degree and a GIAC cert. So does this mean I need 1.5 more years of related work experience?

Also, what does everyone think of the Security+ cert? I just got my Network+ just to get familiar with some networking concepts even though I know it's not worth much. Since I can't get the CISSP yet, I was thinking of getting the Security+ first. Thanks for the advice.

 

[Zugzwang152]

you'll only need 6 more months if your GIAC cert is on the list of ISC approved ones.

Your degree has to be in information security and also from a Center of Academic Excellence in Information Assurance Education (CAEIAE) to count for another year.

 

[mechBgon]

Originally posted by: Zugzwang152

Originally posted by: Oakenfold

Originally posted by: Zugzwang152
and by Security I mean the "what's the best free antivirus?" forum.

Sorry, couldn't resist Zug that's a great quote! :laugh:

April 1, 2008: you should get this forum renamed to "what's the best free antivirus?" for a day

If he gets that, then *I* should get Software For Windows renamed to "How to keep dog poo off my lawn"

 

[Zugzwang152]

Originally posted by: mechBgon

Originally posted by: Zugzwang152

Originally posted by: Oakenfold

Originally posted by: Zugzwang152
and by Security I mean the "what's the best free antivirus?" forum.

Sorry, couldn't resist Zug that's a great quote! :laugh:

April 1, 2008: you should get this forum renamed to "what's the best free antivirus?" for a day

If he gets that, then *I* should get Software For Windows renamed to "How to keep dog poo off my lawn"

I'm tempted to visit that forum now. :Q

 

[vital]

Originally posted by: Zugzwang152
you'll only need 6 more months if your GIAC cert is on the list of ISC approved ones.

Your degree has to be in information security and also from a Center of Academic Excellence in Information Assurance Education (CAEIAE) to count for another year.

How do you come up with 6 more months?
The total required is 5 years right?

 

[Zugzwang152]

Originally posted by: vital

Originally posted by: Zugzwang152
you'll only need 6 more months if your GIAC cert is on the list of ISC approved ones.

Your degree has to be in information security and also from a Center of Academic Excellence in Information Assurance Education (CAEIAE) to count for another year.

How do you come up with 6 more months?
The total required is 5 years right?

You currently have 3.5 years of experience (1.5 in auditing + 2 additional other). Your GIAC cert, if on the approved list, counts as 1 year of experience. That's 4.5. You need .5 more years to get 5 total.

 

[vital]

Originally posted by: Zugzwang152

Originally posted by: vital

Originally posted by: Zugzwang152
you'll only need 6 more months if your GIAC cert is on the list of ISC approved ones.

Your degree has to be in information security and also from a Center of Academic Excellence in Information Assurance Education (CAEIAE) to count for another year.

How do you come up with 6 more months?
The total required is 5 years right?

You currently have 3.5 years of experience (1.5 in auditing + 2 additional other). Your GIAC cert, if on the approved list, counts as 1 year of experience. That's 4.5. You need .5 more years to get 5 total.

Oh I included the GIAC in the 2 additional other ( 1 for giac and 1 for degree).

 

[Zugzwang152]

Originally posted by: vital

Originally posted by: Zugzwang152

Originally posted by: vital

Originally posted by: Zugzwang152
you'll only need 6 more months if your GIAC cert is on the list of ISC approved ones.

Your degree has to be in information security and also from a Center of Academic Excellence in Information Assurance Education (CAEIAE) to count for another year.

How do you come up with 6 more months?
The total required is 5 years right?

You currently have 3.5 years of experience (1.5 in auditing + 2 additional other). Your GIAC cert, if on the approved list, counts as 1 year of experience. That's 4.5. You need .5 more years to get 5 total.

Oh I included the GIAC in the 2 additional other ( 1 for giac and 1 for degree).

which CAEIAE school and what degree?

 

[vital]

Originally posted by: Zugzwang152

Originally posted by: vital

Originally posted by: Zugzwang152

Originally posted by: vital

Originally posted by: Zugzwang152
you'll only need 6 more months if your GIAC cert is on the list of ISC approved ones.

Your degree has to be in information security and also from a Center of Academic Excellence in Information Assurance Education (CAEIAE) to count for another year.

How do you come up with 6 more months?
The total required is 5 years right?

You currently have 3.5 years of experience (1.5 in auditing + 2 additional other). Your GIAC cert, if on the approved list, counts as 1 year of experience. That's 4.5. You need .5 more years to get 5 total.

Oh I included the GIAC in the 2 additional other ( 1 for giac and 1 for degree).

which CAEIAE school and what degree?

Sorry I only have an MIS degree from a CSU. So a CAEIAE school and degree is worth 2 years?

 

[Zugzwang152]

Originally posted by: vital

Originally posted by: Zugzwang152

Originally posted by: vital

Originally posted by: Zugzwang152

Originally posted by: vital

Originally posted by: Zugzwang152
you'll only need 6 more months if your GIAC cert is on the list of ISC approved ones.

Your degree has to be in information security and also from a Center of Academic Excellence in Information Assurance Education (CAEIAE) to count for another year.

How do you come up with 6 more months?
The total required is 5 years right?

You currently have 3.5 years of experience (1.5 in auditing + 2 additional other). Your GIAC cert, if on the approved list, counts as 1 year of experience. That's 4.5. You need .5 more years to get 5 total.

Oh I included the GIAC in the 2 additional other ( 1 for giac and 1 for degree).

which CAEIAE school and what degree?

Sorry I only have an MIS degree from a CSU. So a CAEIAE school and degree is worth 2 years?

I believe you have to have a CAEIAE degree to get the one year. Just any old degree doesn't count.

 

[Zugzwang152]

Link to work experience requirements:
https://www.isc2.org/cgi-bin/content.cgi?category=1187

Candidates can substitute a maximum of one year of direct full-time security professional work experience described above if they have a four-year college degree OR Master?s Degree in information security from a U.S. National Center of Academic Excellence in information Security (CAEIAE) or regional equivalent. If you hold both a four-year degree and a Master?s degree, you may only apply for a one year waiver of experience.

 

[vital]

Originally posted by: Zugzwang152
Link to work experience requirements:
<a target=_blank class=ftalternatingbarlinklarge href="https://www.isc2.org/cgi-bin/content.cgi?category=1187">https://www.isc2.org/cgi-bi.......cgi?category=1187</a>

Candidates can substitute a maximum of one year of direct full-time security professional work experience described above if they have a four-year college degree OR Master?s Degree in information security from a U.S. National Center of Academic Excellence in information Security (CAEIAE) or regional equivalent. If you hold both a four-year degree and a Master?s degree, you may only apply for a one year waiver of experience.

So I guess I need 2.5 more years to reach the 5 required? 1.5 experience + 1 giac = 2.5. Damn that's gonna take forever. I might as well go back for CAEIAE degree.

 

[vital]

Originally posted by: Zugzwang152
Link to work experience requirements:
<a target=_blank class=ftalternatingbarlinklarge href="https://www.isc2.org/cgi-bin/content.cgi?category=1187"><a target=_blank class=ftalternatingbarlinklarge href="https://www.isc2.org/cgi-bin/content.cgi?category=1187">https://www.isc2.org/cgi.........?category=1187</a></a>

Candidates can substitute a maximum of one year of direct full-time security professional work experience described above if they have a four-year college degree OR Master?s Degree in information security from a U.S. National Center of Academic Excellence in information Security (CAEIAE) or regional equivalent. If you hold both a four-year degree and a Master?s degree, you may only apply for a one year waiver of experience.

Hey Zugz, I asked some experienced professionals and they clarified that it means

a) four-year college degree

OR

b) Master?s Degree in information security from a U.S. National Center of Academic Excellence in information Security (CAEIAE)


wow.. it's been a year and I just started studying a month ago lol.... I think I need about another year to be certified though.

 

[WobbleWobble]

If you don't have the full work experience, I believe you can write the exam anyways under the Associate of ISC2 until you get the formal experience required.

But I am a security analyst working for the hospitals up here in Canada. I'm working towards getting some formal certification (CISSP first) but I've had about 5-6 years of development and network administration background. My education specialized in Network Administration and Security and I have a diploma and degree to show for it.

We're Microsoft heavy here, so I'll be heading towards some Microsoft certifications later on. GIAC from what I know and been told isn't popular where I am.

The most successful security professionals I know don't have very many formal certifications or education, but they have a ton of experience. That said, it's not easy to get your foot in the door to get that experience without formal certification or education.

 

[law9933]

All of you are into working with major systems. Are you wanting the forum to be a place to help each other do that? It was mentioned originally that this forum might disappear? "Let's make this forum something before it disappears into nothingness!" I thought online security forums were used by home/small business PC users in need of AV, AS, malware assistance. I have often seen the main answer to a malware problem is wipe & reinstall. Many PC users do not backup their valued info & are wanting rescued.

I, as a simple member, am confused.

Other websites have HJT advisers that can save a infected PC after a lot of time & work. They have a a large group of members giving easier advice & many happy members that have had their problems solved.

 

[Zugzwang152]

Originally posted by: vital

Originally posted by: Zugzwang152
Link to work experience requirements:
<a target=_blank class=ftalternatingbarlinklarge href="https://www.isc2.org/cgi-bi.......cgi?category=1187"><a target=_blank class=ftalternatingbarlinklarge href="https://www.isc2.org/cgi-bin/content.cgi?category=1187"><a target=_blank class=ftalternatingbarlinklarge href="https://www.isc2.org/cgi-bin/content.cgi?category=1187">https://www.isc2.org/............egory=1187</a></a></a>

Candidates can substitute a maximum of one year of direct full-time security professional work experience described above if they have a four-year college degree OR Master?s Degree in information security from a U.S. National Center of Academic Excellence in information Security (CAEIAE) or regional equivalent. If you hold both a four-year degree and a Master?s degree, you may only apply for a one year waiver of experience.

Hey Zugz, I asked some experienced professionals and they clarified that it means

a) four-year college degree

OR

b) Master?s Degree in information security from a U.S. National Center of Academic Excellence in information Security (CAEIAE)


wow.. it's been a year and I just started studying a month ago lol.... I think I need about another year to be certified though.

Yup that's right. Thanks for following up. I did my own research a year ago but I guess I forgot to post it here. Thanks!

 

[Zugzwang152]

Originally posted by: law9933
All of you are into working with major systems. Are you wanting the forum to be a place to help each other do that? It was mentioned originally that this forum might disappear? "Let's make this forum something before it disappears into nothingness!" I thought online security forums were used by home/small business PC users in need of AV, AS, malware assistance. I have often seen the main answer to a malware problem is wipe & reinstall. Many PC users do not backup their valued info & are wanting rescued.

I, as a simple member, am confused.

Other websites have HJT advisers that can save a infected PC after a lot of time & work. They have a a large group of members giving easier advice & many happy members that have had their problems solved.

I don't know what the mods originally intended this forum to be, quite possibly it was both. the fact is that the vast majority of AT users are here because they want help with the malware infections, or in securing their home or small business PC.

There is a small group of users here that are active or aspiring security professionals, but as it turned out, not enough to achieve critical mass compared to the overwhelming need for antivirus/malware support.

The posts above reflected this situation, which myself, the mods, and others who chimed in were well aware of even at the birth of this forum.

 

[RebateMonger]

Originally posted by: Zugzwang152
There is a small group of users here that are active or aspiring security professionals, but as it turned out, not enough to achieve critical mass compared to the overwhelming need for antivirus/malware support.

Yup. Thiis forum is pretty low volume compared to many AnandTech forums. It seems to combine some "professional" discussion of security issues along with folks wanting help with infections. I don't see anything wrong with that. Just the way it turned out.

 

[vital]

here's what I've been doing for the past 10 weeks... I don't think I'll be able to sleep tonight..

http://spreadsheets.google.com/ccc?key=0AtmKEc9fSnrBdDZrTWhWZVdzMXBBWS0wcS1TdXd5RlE&hl=en

 

[beef5stew]

Strange, had a few minutes during lunch to poke around on AnandTech..didn't expect to see a thread for Security.

I'm a 15 year security veteran. I started out work for the government as an automation specialist. From there I went to Axent technologies as a consultant. That was fun. I was able to travel to all 50 states and a few countries in Europe showing them the software and helping installs. I was in my early 20s, so the travel was a big plus for me.

From there I joined a big 6 accounting firm (there were 6 back then) and was part of the first security services offering. I got a CISSP and a CISM. My specality was penetration testing, but also did Business continuity planning, access administration design, SAS70 compliance and eventually Sarbanes Oxley. Went I got tired of the constant travel, I settled down as the chief security architect for a credit card company.

Did that for 5 years, and moved to a larger bank where I serve as the CSO for one of the lines of business. I have about 65 people on my team who manage all aspects of security. I can clarify some of the items on this forum:

1. College degree absolutely matters. Just about everyone who interviews has a degree. It doesn't help you compete against other people with a college degree, but it gets you to the interview.

2. Value of credential: 1. CISSP 2. CISA 3. CISM 4. GIAC. All other credentials don't matter much.

3. My MVPs: PenTester; Network Security Architect; Database Security Guy; LDAP guy. You will never ever find someone who does one of those things who is unemployed. They are near IMPOSSIBLE to find. Usually have to pay an obscene amount to get them from other companies.

4. What I want people to know: PCI, SOX, GLBA, HIPPA, COSO, BASEL-II, REG Z, and stardard security audit procedures.

5. If you can work for a big 4 accounting firm for even a year, do it. We call that a "golden Ticket", you can work anywhere you want with that experience on your resume.

6. Reading IDS logs stink. Put in a log parser that follows IF/THEN/ELSE statements. Get an email if something happens that falls out. Most people are using SIM/SEM tools to do this. Check out ArcSite...they have a good tool to do it.

Beef

 

[vital]

Welcome Beef!

I just got back from the taking the CISSP exam... I think I studied for the wrong exam or something.. Many of the questions were really confusing. I had to guess on many of the questions where 2 or more of the answers seemed correct. Just glad it's over with now. I had the same feeling when I finished taking the CISA exam but this one is like 10x worse!

 

[Shaotai]

Welcome Beef!

I just got back from the taking the CISSP exam... I think I studied for the wrong exam or something.. Many of the questions were really confusing. I had to guess on many of the questions where 2 or more of the answers seemed correct. Just glad it's over with now. I had the same feeling when I finished taking the CISA exam but this one is like 10x worse!

I just got my results back today, I passed! I'm sure you did just fine, I felt exactly as you did...
It's been a long wait, but it was worth the effort. I'm still unemployed, and I'm working at making myself more desirable as an employee. Next, to work on getting some networking certs for me. (CCNA/CCNP) I have my mini home cisco lab setup, now just going through and working at it...

 

[spikespiegal]

There is a small group of users here that are active or aspiring security professionals, but as it turned out, not enough to achieve critical mass compared to the overwhelming need for antivirus/malware support.

That's because Malware/AV support has little to do with security.

I don't classify myself nearly in the same caliber as beef5stew, but I have been and administrator for two regional banks and a huge health care provider, and have a strong conceptual grasp of what he's talking about.

There is a *huge* quantum leap between what we deal with in corporate, and the average post here wanting to fix a Malware issue because the OP induced the problem downloading a cracked porn-streamer from Bit-Torrent. In corporate we are far more concerned with pro-active security behaviour, and we don't have to contend with a multi-jillion dollar software industry devoted towards keeping PC users dumbed down and buying AV software that does little if anything.

If this were a *true* Security forum we'd be encouraging people in the direction of the best practices and discouraging Pop Culture beliefs that only make our jobs harder. There are plenty of other forums dealing with hundreds of pages Hijack dumps.

 

[beef5stew]

The CISSP test was by far the hardest credential exam I ever took. And a good portion of my peers who took it the same time I did (1990) failed it.

One thing I found out is that there are alot of "Test" test questions. Specifically, these are questions that aren't officially test questions yet, they want to see how people answer them. Those are the ones that you usually end up scratching your head because the correct answer isn't very clear. Most people walk out of the testing feeling uneasy because of those questions.

Beef